Managing Keys and Certificates Used with Secure Boot

2.2.3 Managing Keys and Certificates Used with Secure Boot

On bare metal database servers and KVM hosts, you can use the Machine Owner Keys (MOK) utility (mokutil) to manage the keys and certificates used with Secure Boot.

The certificates are signed by DigiCert. By default, a certificate is valid for one year from the date of signing. Even though a certificate may expire, the validation is based on the date on which the grub and kernel were signed and if the certificate was valid at that time.

To renew the certificates, you update the kernel, grub, and ILOM on the secured servers with a new, signed version.

To query the existing keys, run the mokutil command as the root user.

For example:

# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 5f:f4:35:5a:49:ec:8d:f1:56:d1:ee:9b:ac:f6:19:54:08:77:d3:59
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            21:b3:c1:01:19:dc:af:44:43:15:8b:0f:33:6b:18:be
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA - G2
        Validity
            Not Before: Jun 30 00:00:00 2020 GMT
            Not After : Jul  1 23:59:59 2021 GMT
        Subject: jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2101822, C=US/postalCode=94065, ST=California, L=Redwood City/street=500 Oracle Parkway, O=Oracle America Inc., OU=Winqual, CN=Oracle America Inc.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8d:3e:e0:3b:35:99:fb:11:c0:2a:12:ac:07:40:
                    f7:90:d4:d3:62:5e:85:2d:ea:94:af:5f:26:33:98:
                    c8:03:33:0e:30:5e:4d:44:ca:fa:1a:3a:49:88:64:
                    89:16:5c:39:f3:35:86:ed:25:eb:0f:ca:fa:2c:3d:
                    d6:23:2a:b3:1e:62:fb:45:88:1a:05:be:95:d6:6a:
                    d9:c5:f2:81:7a:cc:63:71:3c:37:a0:23:1c:eb:20:
                    1a:3d:13:89:6a:9e:47:a0:eb:ca:64:21:3f:7a:f4:
                    e6:09:bf:47:63:c8:b3:6b:a5:c6:1b:de:f6:06:12:
                    56:eb:ab:24:00:01:c9:80:db:be:66:49:64:ac:c8:
                    ce:1e:da:7a:c1:42:21:85:f9:67:81:a4:f0:6d:14:
                    01:9b:45:1e:9f:08:e5:18:b7:c5:34:e5:55:e2:11:
                    dc:fe:0c:36:32:f4:bb:cb:34:00:37:b2:41:05:5f:
                    0a:69:68:55:cb:4e:ec:ca:cc:1b:67:dc:05:f1:98:
                    95:c4:14:35:41:01:fe:f5:bd:63:1a:8d:cc:8a:1f:
                    b6:87:ac:02:ea:e2:2e:29:d6:11:b9:bc:aa:d6:44:
                    3e:32:3c:a9:12:a4:aa:09:ec:6e:ba:99:08:58:36:
                    6b:ef:40:c5:3e:47:36:93:53:f1:c9:f2:79:f2:53:
                    c9:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.3
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Subject Key Identifier:
                BC:59:71:95:4C:74:9D:3D:30:98:52:EF:0F:3C:23:6F:A4:98:E8:F6
            X509v3 Authority Key Identifier:
                keyid:16:66:DE:4A:34:E3:50:A7:11:86:03:B1:6C:A9:C6:AC:CD:59:6E:9B

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://sw.symcb.com/sw.crl

            Authority Information Access:
                OCSP - URI:http://sw.symcd.com
                CA Issuers - URI:http://sw.symcb.com/sw.crt

    Signature Algorithm: sha256WithRSAEncryption
         38:4d:10:69:07:db:7c:ce:18:2b:1e:c5:89:1c:71:a9:b0:07:
         19:43:2d:a0:88:c5:f5:bf:82:a9:4b:f9:45:fa:2c:7c:00:cb:
         be:24:b0:a8:98:7d:f5:a3:c4:42:52:f4:75:fd:22:c5:0c:2e:
         a2:13:7f:b9:24:79:04:d5:ea:0e:1a:e6:e8:4c:61:48:65:5b:
         c7:30:81:90:fd:17:d5:39:d4:70:00:00:b8:c5:80:03:da:88:
         e0:f1:39:aa:d9:1d:ef:2f:bf:c3:06:18:2a:1b:1f:ce:30:a2:
         bb:dd:d0:46:0e:d5:e1:22:0c:a0:cc:df:00:fe:0a:99:d5:cc:
         16:76:4b:ab:dc:bb:80:4b:0e:1b:f5:5e:04:22:3e:a9:d0:70:
         56:87:9b:c1:2f:95:cf:36:34:e7:c7:2e:0c:56:f3:24:fa:7d:
         f7:25:54:50:34:f6:e5:30:76:8b:fd:65:25:19:8a:54:f9:f1:
         93:24:ad:22:25:4a:e0:a2:63:b6:d7:d1:82:4e:5a:fc:34:52:
         b4:9e:7d:1a:e2:b7:a1:92:13:0f:9d:7b:ae:42:6f:64:a2:02:
         47:c7:f9:11:12:e4:82:b9:f7:ed:ce:14:ac:c2:b4:e3:cc:c4:
         ef:f8:9f:78:23:91:89:b0:37:24:f1:c6:61:0c:2e:cf:af:29:
         e5:68:70:4d

Parent topic: Restricting the Binaries Used to Boot the System